What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate the proper uses and disclosures of PHI.
Physical safeguards are measures that protect an organization’s physical location, such as locks and alarm systems.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are important, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. Technical safeguards that you should keep an eye out for include encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a key determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if they will not sign a business associate agreement (BAA).
A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both signing parties in the event of a breach or OCR audit, as only the negligent party would be held culpable.
Is ServiceNow HIPAA Compliant?
So, is ServiceNow HIPAA compliant?
ServiceNow’s data security standards easily meet the requirements of the HIPAA Security Rule. The company is also willing to enter into a Business Associate Agreement, but there are clearly-stated limitations, which means ServiceNow’s HIPAA compliance is limited.
Specifically, ServiceNow will only enter into a BAA as a data processor, meaning their responsibility is to perform the actions requested by the data controller. The organization using the ServiceNow platform is responsible for all decisions concerning what data is stored and how it is used.
Within those parameters, ServiceNow appears to be HIPAA compliant.